# Deploying the BR-CESSA website to br-cessa.ust.hk The site is a Node.js (Express) app with EJS templates and an SQLite database. Below is a one-time setup on the Ubuntu VM, then how to update it later. Prerequisites: you can SSH to the VM (see **SERVER-ACCESS.md**) and have sudo via `adm1`. --- ## 1. Install Node.js (once) ```bash # Node.js 20 LTS from NodeSource curl -fsSL https://deb.nodesource.com/setup_20.x | sudo -E bash - sudo apt-get install -y nodejs git node -v # should print v20.x ``` ## 2. Put the app on the server Copy this `website/` folder to `/opt/br-cessa/website` on the VM. Two easy options: **A. scp from your laptop (on VPN):** ```bash scp -r website adm1@143.89.208.14:/tmp/website ssh adm1@143.89.208.14 'sudo mkdir -p /opt/br-cessa && sudo mv /tmp/website /opt/br-cessa/website && sudo chown -R adm1 /opt/br-cessa' ``` **B. git:** push this folder to a repo, then `git clone` it into `/opt/br-cessa/website`. ## 3. Configure and install ```bash cd /opt/br-cessa/website cp .env.example .env nano .env # set ADMIN_USER / ADMIN_PASS (long random), optional SMTP npm install --omit=dev node server.js # quick test -> "running on http://127.0.0.1:3000" (Ctrl-C to stop) ``` ## 4. Run it as a service (systemd) ```bash sudo cp deploy/br-cessa.service /etc/systemd/system/ sudo systemctl daemon-reload sudo systemctl enable --now br-cessa sudo systemctl status br-cessa # should be "active (running)" ``` ## 5. Put nginx in front (port 80/443) ```bash sudo apt-get install -y nginx sudo cp deploy/nginx-br-cessa.conf /etc/nginx/sites-available/br-cessa sudo ln -s /etc/nginx/sites-available/br-cessa /etc/nginx/sites-enabled/ sudo rm -f /etc/nginx/sites-enabled/default sudo nginx -t && sudo systemctl reload nginx ``` ## 6. Open the firewall to the Internet (IMPORTANT) By default the VaaS firewall blocks incoming HTTP/HTTPS. To make the site reachable publicly: 1. Sign in to **https://vra.ust.hk** (on VPN). 2. Select the **br-cessa** server → **ACTIONS → Update Firewall Tags**. 3. Tick **"Internet Web"** (allows Internet traffic to standard http/https ports) → **SUBMIT**. - Use **"Intranet Web"** instead if the site should be reachable only inside HKUST during testing. After this, browse to **http://br-cessa.ust.hk/**. ## 7. HTTPS (recommended before going public) Request an `*.ust.hk` / `br-cessa.ust.hk` TLS certificate from HKUST ITSC, install the cert+key on the server, and enable the `443` block in `deploy/nginx-br-cessa.conf` (and the HTTP→HTTPS redirect). Then reload nginx. --- ## Updating the site later ```bash # copy changed files up (or git pull), then: cd /opt/br-cessa/website npm install --omit=dev # only if dependencies changed sudo systemctl restart br-cessa ``` ## Where the data lives - **Expressions of Interest** are stored in `data/brcessa.db` (SQLite). It's covered by the VM's daily backup; you can also copy the file off the server periodically. - View/Export submissions at **/admin** (HTTP Basic Auth — the `ADMIN_USER`/`ADMIN_PASS` from `.env`), with a **Download CSV** button. ## Logs / health ```bash sudo journalctl -u br-cessa -f # live app logs curl http://127.0.0.1:3000/healthz # should return {"ok":true} ``` ## Reminders - The VM has a **1-year lease** — renew it at vra.ust.hk before expiry (auto power-off otherwise). - Take a **snapshot** at vra.ust.hk before major OS/app changes.